2. Most importantly, the reason I installed it was that my indexes became so large that they would more than double my DB size and the speed was terrible. I have a pretty large forum (83K users, 3M+ posts) and the time it took to post was increasingly frustrating. It took forever to save the post because indexing was killing me. I think I moved to Sphinx back on phpbb version 2.X (not 100% sure), but it's been with me forever.
3. I noticed I'm getting errors like this:
Code: Select all
Sphinx Error
» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected ')' near ')\=sysdate(),sleep(15),0)'
Code: Select all
Sphinx Error
» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected '|' near '|DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'
Code: Select all
Sphinx Error
» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected ')' near ')) | 873\=(SELECT 873 FROM PG_SLEEP(15))--'
1. Do they know something I don't? Does Sphinx have vulnerabilities with SQL or code injection?
2. anything that I could/should do to block this type of thing?
3. anything that phpbb should do to prevent SQL injection in this way?
BTW, just try a sphinx search with parenthesis and you see this error immediately.